storage media encryption overview - cisco€¦ · storage media encryption overview software and...

Storage Media Encryption Overview

Encrypting storage media in the data center has become a critical issue. Numerous high profile incidents oflost or stolen tape and disk devices have underscored the risk and exposure companies face when sensitiveinformation falls into the wrong hands. To satisfy the most demanding requirements, Cisco MDS 9000Family Storage Media Encryption (SME) for the Cisco MDS 9000 family switches offers a highly scalable,reliable, and flexible solution that integrates encryption transparently as a fabric service for Fibre ChannelSANs.

This chapter provides an overview of the SME and the hardware and software requirements for the product.It contains the following sections:

• About SME, page 1

• About MIBs, page 9

• Software and Hardware Requirements, page 10

• SME Prerequisites, page 13

• SME Security Overview, page 14

About SMEThe SME solution is a comprehensive network-integrated encryption service with enterprise-class keymanagement that works transparently with existing and new SANs. The innovative Cisco network-integratedsolution has numerous advantages over competitive solutions available today:

• SME installation and provisioning are both simple and nondisruptive. Unlike other solutions, SME doesnot require rewiring or SAN reconfiguration.

• Encryption engines are integrated on the CiscoMDS 9000 18/4-Port MultiserviceModule (MSM-18/4),the Cisco MDS 9222i Multiservice Module Switch, and the 16-Port Gigabit Ethernet Storage ServicesNode (SSN-16), which eliminates the need to purchase and manage extra switch ports, cables, andappliances.

• Traffic from any virtual SAN (VSAN) can be encrypted using SME, enabling flexible, automated loadbalancing through network traffic management across multiple SANs.

• No additional software is required for provisioning, key, and user role management; SME is integratedinto Cisco DCNM for SAN (DCNM-SAN), which reduces operating expenses.

Cisco MDS 9000 Series Storage Media Encryption Configuration Guide 1

When using SME, SSI images should not be loaded and installed on 18+4 cards and SSN-16. Also thebootvar should not be set to load these images

Note

The following figure shows the integration of SME with SAN fabrics to offer seamless management of dataencryption.

Figure 1: SME

This section covers the following topics:

SME FeaturesThe Cisco MDS 9000 Family of intelligent directors and fabric switches provide an open, standards-basedplatform for hosting intelligent fabric applications and services. As a platform, the Cisco MDS 9000 familyswitches provide all essential features required to deliver secure, highly available, enterprise-class FibreChannel storage area network (SAN) fabric services. Cisco has integrated encryption for data-at-rest as atransparent fabric service to take full advantage of this platform.

SME is a standards-based encryption solution for heterogeneous disks, tape libraries, and virtual tape libraries.SME is managed with Cisco DCNM-SAN and a command-line interface (CLI) for unified SANmanagementand security provisioning. SME includes the following comprehensive built-in key management features:

Transparent Fabric ServiceCisco employs a Fibre Channel redirect scheme that automatically redirects the traffic flow to an MSM-18/4module, a MDS 9222i switch, or a SSN-16 module anywhere in the fabric. There are no appliances in-line inthe data path and there is no SAN rewiring or reconfiguration.

EncryptionSME uses strong, IEEE-compliant AES 256 encryption algorithms to protect data at rest. Advanced CiscoMDS 9000 SAN-OS and NX-OS software security features, such as Secure Shell (SSH), Secure SocketsLayer (SSL), RADIUS, and Fibre Channel Security Protocol (FC-SP) provide the foundation for the securearchitecture.

SME uses the NIST-approved random number standard to generate the keys for encryption.

Cisco MDS 9000 Series Storage Media Encryption Configuration Guide2

Storage Media Encryption OverviewSME Features

Encryption and compression services are transparent to the hosts and storage devices.

Encryption Algorithms

The IEEE-approved standard for encryption of disk drives is IEEE 1619—Standard Architecture for EncryptedShared StorageMedia (1619.1 for tape drives). It specifies the XTS encryption mode commonly used for diskencryption. The IEEE Security in Storage Working Group (SISWG) was investigating the possibility ofsubmitting the XTS mode to NIST for consideration as an Approved Mode of Operation for FIPS 140-2certification. It uses a narrow-block encryption algorithm, and the standardization process for a wide-blockalgorithm is currently in progress as 1619.2. Other encryption algorithms for consideration are LRW-AESand AES-CBS. Draft versions of the IEEE 1619 standard had used LRW-AES, which was later replaced byXTS-AES.

SME RolesSME services include the following four configuration and security roles:

• SME Administrator

• SME Storage Administrator

• SME Key Management Center (KMC) Administrator

• SME Recovery Officer

The SME Administrator configures and maintains SME. This role can be filled by multiple storage networkadministrators. The SME Storage Administrators are responsible for SME provisioning operations and theSME KMC Administrators are responsible for the SME KMC administration operations. The security officermay be assigned the SME KMC Administrator role in some scenarios.

SMEAdministrator role includes the SME Storage Administrator and the SMEKMCAdministrator roles.Note

The SMERecovery Officers are responsible for key recovery operations. During SME configuration, additionalRecovery Officers can be added. SME Recovery Officers play a critical role in recovering the key databaseof a deactivated cluster and they are responsible for protecting the master key. The role of the SME RecoveryOfficer separates master key management from SME administrations and operations. In some organizations,a security officer may be assigned to this role.

At the advanced security level, a quorum of SMERecovery Officers is required to perform recovery procedures.The default is 2 out of 5. In this case 2 of the 5 recovery officers are required to unlock the master key.

For additional information on SME Administrator and SME Recovery Officer roles, see the Creating andAssigning SME Roles and SME Users.

Key ManagementCisco Key Management Center (KMC) provides essential features such as key archival, secure export andimport, and key shredding.

Key management features include the following:

• Master key resides in password protected file or in smart cards.



configuring_sme.pdf#unique_21

configuring_sme.pdf#unique_21

◦If the cluster security mode is set to Basic, the master key resides in the password protected file.

◦If the cluster security mode is set to Standard, the master key resides in only one smart card. Andthe same smart card is required to recover the master key.

◦If the cluster security mode is set to Advanced, the master key resides in multiple smart cards.Quorum (2 out of 3 or 2 out of 5 or 3 out of 5) of smart cards are required to recover the masterkey based on the user selection.

• Unique key per tape for an SME tape cluster.

• Unique key per LUN for an SME disk cluster.

• Keys reside in clear-text only inside a FIPS boundary.

• Tape keys and intermediate keys are wrapped by the master key and deactivated in the CKMC.

• Disk keys are wrapped by the cluster master key and deactivated in the CKMC.

• Option to store tape keys on tape media.

The centralized key lifecycle management includes the following:

• Archive, shred, recover, and distribute media keys.

◦Integrated into DCNM-SAN.

◦Secure transport of keys.

• End-to-end key management using HTTPS/SSL/SSH.

◦Access controls and accounting.

◦Use of existing AAA mechanisms.

The Cisco KMC provides dedicated key management for SME, with support for single and multisitedeployments. The Cisco KMC performs key management operations.

The CiscoKMC is either integrated or separated fromDCNM-SANdepending on the deployment requirements.

Single site operations can be managed by the integration of the Cisco KMC in DCNM-SAN. In multisitedeployments, the centralized Cisco KMC can be used together with the local DCNM-SAN servers that areused for fabric management. This separation provides robustness to the KMC and also supports the SMEdeployments in different locations sharing the same Cisco KMC.

Figure 2: Multisite Setup in Cisco KMC, on page 5shows how Cisco KMC is separated from DCNM-SANfor a multisite deployment.



A Cisco KMC is configured only in the primary data center and DCNM-SAN servers are installed in all thedata centers to manage the local fabrics and provision SME. The SME provisioning is performed in each ofthe data centers and the tape devices and backup groups in each of the data centers are managed independently.

Figure 2: Multisite Setup in Cisco KMC

Need to change all the instances of Fabric Manager to DCNM-SAN. Need to request this by the illustrator.-- before Delhi.

In the case of multisite deployments when the Cisco KMC is separated from DCNM-SAN, fabric discoveryis not required on the Cisco KMC installation. The clusters that have connection to the Cisco KMC will beonline and the clusters that are not connected, but are not deactivated, appear as offline. The SME clustersthat are deleted from the fabric appear as deactivated.

The high availability Cisco KMC server consists of a primary server and a secondary server. When the primaryserver is unavailable, the cluster connects to the secondary server and fails over to the primary server oncethe primary server is available. The high availability KMC will be available after you configure the highavailability settings in DCNM-SAN Web Client.

ClusteringCluster technology provides reliability and availability, automated load balancing, failover capabilities, anda single point of management.



FC-RedirectSME performance can easily be scaled up by adding more Cisco MDS 9000 Family switches or modules.The innovative Fibre Channel redirect capabilities in Cisco MDS 9000 NX-OS enable traffic from any switchport to be encrypted without SAN reconfiguration or rewiring.

Server-Based Discovery for Provisioning Disks and TapesSME provides discovery of backend targets using the identity of the host during a session establishment.

Target-Based Load BalancingThe SME cluster consists of a set of switches (in a dual-fabric environment) running the SME application.Clustering offers target-based load balancing of SME application services. The cluster infrastructure allowsthe SME application to communicate and coordinate to maintain consistency and high availability.

Load balancing is achieved by distributing ownership of the various metadata objects throughout the cluster.SME assigns hosts to the available SME interfaces using the following algorithm:

• All hosts for a given target port are always assigned to the same SME interface.

• If a target port is connected to one of the SME switches, an interface is selected based on the load fromthe target-connected switch. That is, the target locality is considered when choosing a SME interfacefor a target.

• If a target is connected to a switch that has no SME interface, then the target is assigned to the leastloaded available interface in the SME cluster.

In target-based load balancing, the load on an interface refers to the number of targets assigned to that interface.

SME provides a load balancing CLI that allows you to rebalance the targets assigned to the available SMEinterfaces in the cluster. However, the load balancing command is disruptive to the traffic. Ensure thatyou execute this command at a scheduled downtime, otherwise, the existing traffic will be affected.

Caution

SME TerminologyThe following SME-related terms are used in this book:

• SME interface—The security engine in theMSM-18/4 module or fixed slot of a CiscoMDS 9222i fabricswitch. Each MSM-18/4 module and MDS 9222i switch has one security engine.

• SME cluster—A network of MDS switches that are configured to provide the SME functionality; eachswitch includes one or more MSM-18/4 modules and each module includes a security engine. Includesone or more nodes or switches for high availability (HA) and load balancing.

• Fabric—A physical fabric topology in the SAN as seen by DCNM-SAN. There can be multiple VSANs(logical fabrics) within the physical fabric.

• Tape group—A backup environment in the SAN. This consists of all the tape backup servers and thetape libraries that they access.


Storage Media Encryption OverviewSME Terminology

• Tape device—A tape drive that is configured for encryption.

• Tape volumes—A physical tape cartridge identified by a barcode for a given use.

• Tape volume group—A logical set of tape volumes that are configured for a specific use, for example,a group of tape volumes used to backup a database.

• Disk group—The disks that are grouped functionally to form disk groups.

• Disk—Disk is a LUN. A LUN is a logical unit that is exported to the host by the storage controller.

• IT-NEXUS—Initiator or Target pWWNs that defines a host to target connection.

• SME node—Each switch in the cluster is called an SME node and plays a role in determining if thecluster has a quorum.

• Cisco Key Management Center (CKMC)—A component of DCNM-SAN that stores the encryptionkeys.

• Master key—An encryption key generated when an SME cluster is created. The master key encryptsthe tape volume keys and tape keys and it is required to decrypt those keys in order to retrieve encrypteddata.

• Media key—A key that is used for encrypting and authenticating the data on specific tapes.

• Disk key—A key that is used for encrypting and authenticating the data on specific disks.

• SmartCard—A card (approximately the size of a credit card) with a built-in microprocessor andmemoryused for authentication.

• SME Administrator—An administrator who configures SME. This role includes the Cisco StorageAdministrator role where the administratormanages the SMEoperations and the SMEKMCAdministratorrole where the administrator is responsible for the SME key management operations.

• Storage Administrator—An administrator who manages the SME operations.

• SMEKMCAdministrator—An administrator who is responsible for the SMEkeymanagement operations.

• SME Recovery Officer—A data security officer entrusted with smart cards and the associated PINs.Each smart card stores a share of the cluster master key. Recovery officers must present their cards andPINs to recover the key database of a deactivated cluster. A quorum of recovery officers are requiredto execute this operation.

Supported TopologiesSME supports single-and dual-fabric topologies. The Cisco MSM-18/4 module, the MDS 9222i switch, andthe SSN-16 provides the SME engines used by SME to encrypt and compress data-at-rest. Multiple modulescan be deployed in a Fibre Channel fabric to easily scale-up performance, to enable simplified load balancing,and to increase availability. In a typical configuration, oneMSM-18/4 module is required in each SME cluster.

SME clusters include designated backup servers, tape libraries, and one or moreMDS switches running CiscoSAN-OS Release 3.2(2c) or later or NX-OS 4.x or later. One cluster switch must include an MSM-18/4module. With easy-to-use provisioning, traffic between any host and tape on the fabric can utilize the SMEservices.

Required SME engines are included in the following Cisco products:

• Cisco MDS 9000 Family 18/4-Port Multiservice Module (MSM-18/4)


Storage Media Encryption OverviewSupported Topologies

• Cisco MDS 9222i Multiservice Module Switch

• Cisco MDS 16-Port Storage Services Node (SSN-16)

Single-Fabric Topology for TapeFigure 3: SME: Single-Fabric Topology, on page 8 shows a single-fabric topology in which the data fromthe HR server is forwarded to the Cisco MSM-18/4 module. The Cisco MSM-18/4 module can be anywherein the fabric. SME does a one-to-one mapping of the information from the host to the target and forwards theencrypted data to the dedicated HR tape. SME also tracks the barcodes on each encrypted tape and associatesthe barcodes with the host servers.

Figure 3: SME: Single-Fabric Topology, on page 8 shows encrypted data from the HR server is compressedand stored in the HR tape library. Data from the email server is not encrypted when backed up to the dedicatedemail tape library.

Figure 3: SME: Single-Fabric Topology

Tape devices should be connected to core switches such as an MDS 9500 Series switch or MDS 9222iswitch running Cisco SAN-OS Release 3.2(2c) or later or Cisco NX-OS Release 4.x or later and alsocan/should be connected to MDS 9710 Series switch running with Cisco NX-OS 6.2(3) or later.

Note

Encryption and compression services are transparent to the hosts and storage devices. These services areavailable for devices in any virtual SANs (VSANs) in a physical fabric and can be used without rezoning.


Storage Media Encryption OverviewSupported Topologies

Single-Fabric Topology for DiskA single-fabric topology in which the data from the HR server is forwarded to the Cisco MSM-18/4 module,Cisco MDS 922i switch or SSN-16 module. The Cisco MSM-18/4 module, Cisco MDS 9222i switch orSSN-16 module can be anywhere in the fabric. SME does a one-to-one mapping of the information from thehost to the target and forwards the encrypted data to the dedicated HR disk.

SME disk also supports dual-fabric topology with which the data can be encrypted on all the paths. Diskdevices should be connected to core switches, such as an MDS 9500 Series switch or an MDS 9222iswitch, running on Cisco NX-OS Release 5.2(1) or later.

Note

Encryptions are transparent to the hosts and storage devices. These services are available for devices in anyvirtual SANs (VSANs) in a physical fabric and can be used without rezoning.

In-Service Software Upgrade in SMEIn-Service Software Upgrade (ISSU) is a comprehensive, transparent software upgrade capability that allowsyou to add new features and services without any disruption to the traffic.

In a cluster, which has the MDS 9222i switch as nodes, if the nodes are not able to communicate, then thenode having the lowest node identifier (node ID) remains in the cluster while the other node leaves the cluster.However, when an ISSU is performed on a node having the lowest node identifier, a complete loss of thecluster results since both the nodes leave the cluster.

This undesirable situation is addressed in a two-node cluster as follows:

• The upgrading node sends a message to the other node of the intent to leave the cluster. The upgradingnode can either be a master node or a slave node.

• The remaining node remains in the cluster and performs the role of the master node if it was a slavenode. This node continues to remain in the cluster with the quorum intact.

• After the ISSU is completed and the switches boots up, the upgraded node rejoins the cluster as a slavenode.

This feature is tied to the internals of ISSU logic and no additional command needs to be executed forthis purpose.

Note

About MIBsTheMIBmodule manages SME service. SME is an encryption service provided by an encryption node residingon a line card in a storage device. It receives clear-text data from the host, encrypts and then sends it to bewritten to tape or disk. It does the reverse in the opposite direction so the service is completely transparent tothe host. The purpose of this service is to enhance data security in case the tape or disk is lost or stolen.

As with any services important the user requires that provides some level of fault tolerance in a gracefulmanner. SME provides fault tolerance by allowing encryption nodes to be grouped into a cluster. Nodes in


Storage Media Encryption OverviewIn-Service Software Upgrade in SME

the same cluster immediately take over the work of a failed node so that the user does not experience servicedisruption.

Software and Hardware RequirementsThis section includes the following topics:

Software RequirementsAll MDS switches in the SME cluster must be running the current release of Cisco SAN-OS Release 3.2(2c)or later, or Cisco NX-OS 4.x or later software for SME Tape. Cisco NX-OS Release 5.2(1) or later softwareis required for SME Disk. The software requirements include the following:

• DCNM-SAN must be running Cisco SAN-OS Release 3.2(2c) or later or Cisco NX-OS Release 4.x orlater for SME Tape.

• The Cisco MDS switches attached to tape devices must be running Cisco SAN-OS Release 3.2(2c) orlater or Cisco NX-OS Release 4.x or later and also should be connected to MDS 9710 Series switchrunning with Cisco NX-OS 6.2(3) or later.

• All switches that include MSM-18/4 modules must be running Cisco SAN-OS Release 3.2(2c) or lateror Cisco NX-OS Release 4.x or later software for SME Tape.

• DCNM-SAN must be running Cisco NX-OS Release 5.2(1) for SME Disk.

• All Cisco MDS switches in the SME cluster enabled for disks must be running Cisco NX-OS Release5.2(1).

• All switches that include MSM-18/4 modules, MDS 9222i switch or SSN-16 modules must be runningCisco NX-OS Release 5.2(1) for SME Disk.

Hardware RequirementsSME requires at least one encryption service engine in each cluster. The SME engines on the requiredmodulesprovide the transparent encryption and compression services to the hosts and storage devices. To take fulladvantage of the standard and advanced security levels, a smart card reader is required.

For detailed information on required hardware and installing required hardware, refer to the specific installationguides. For information about ordering hardware, refer to http://www.cisco.com/c/en/us/buy.html.

This section includes information about the following required hardware:

Cisco MDS 9000 Family 18/4-Port Multiservice ModuleThe Cisco MDS 9000 Family 18/4-Port Multiservice module (MSM-18/4) provides 18 autosensing 1-, 2-,and 4-Gbps Fibre Channel ports and four Gigabit Ethernet IP services ports. The MSM-18/4 module providesmultiprotocol capabilities such as Fibre Channel, Fibre Channel over IP (FCIP), Small Computer SystemInterface over IP (iSCSI), IBMFiber Connectivity (FICON), and FICONControl Unit Port (CUP)management.

TheMSM-18/4module provides 18 4-Gbps Fibre Channel interfaces for high-performance SAN andmainframeconnectivity and four Gigabit Ethernet ports for FCIP and iSCSI storage services. Individual ports can be


Storage Media Encryption OverviewSoftware and Hardware Requirements

http://www.cisco.com/c/en/us/buy.html

configured with hot-swappable shortwave, longwave, extended-reach, coarse wavelength-divisionmultiplexing(CWDM) or dense wavelength-division multiplexing (DWDM) Small Form-Factor Pluggables (SFPs) forconnectivity up to 125 miles (200 km).

The MSM-18/4 module can minimize latency for disk and tape through FCIP write acceleration and FCIPtape write and read acceleration. The MSM-18/4 module provides up to 16 virtual Inter-Switch Link (ISL)connections on the four 1-Gigabit Ethernet ports through tunneling, and provides up to 4095 buffer-to-buffercredits that can be assigned to a single Fibre Channel Port.

The MSM-18/4 provides intelligent diagnostics, protocol decoding, and network analysis tools with theintegrated Call Home capability.

CiscoMDS 9000 Series switches running Cisco SAN-OS Release 3.2(2c) or later or Cisco NX-OS Release4.x or later support the MSM-18/4 module for SME tape.Cisco MDS 9000 Series switches running CiscoNX-OS Release 5.2(1) support the MSM-18/4 and SSN-16 modules for SME disk.

Note

For additional information, refer to the Cisco MDS 9500 Series Hardware Installation Guide.

Cisco MDS 9222i Multiservice Modular SwitchThe Cisco MDS 9222i Multiservice Modular switch includes an integrated supervisor module (in slot 1) thatprovides the control and management functions of the Cisco MDS 9222i switch and it provides an 18-PortFibre Channel switching and 4-Port Gigabit Ethernet IP services module. The Cisco MDS 9222i built-insupervisor module provides multiple communication and control paths to avoid a single point of failure. TheCisco MDS 9222i supervisor module has a PowerPC PowerQUICC III class processor, 1 GB of DRAM, andan internal CompactFlash card that provides 1 GB of storage for software images.

The Cisco MDS 9222i switch includes a modular expansion slot to host Cisco MDS 9000 Family switchingand services modules. For additional information, refer to the Cisco MDS 9200 Series Hardware InstallationGuide.

The Cisco MDS 9222i switch requires Cisco SAN-OS Release 3.2(2c) or later or Cisco NX-OS Release4.x or later for SME tape.The Cisco MDS 9222i switch requires Cisco NX-OS Release 5.2(1) for SMEdisk.

Note

Cisco MDS 16-Port Storage Services NodeThe CiscoMDS 9000 Family 16-Port Storage Services Node (SSN-16) hosts four independent service engineswhich can be individually and incrementally enabled to scale as business requirements grow. The SSN-16configuration is based on the single service engine of the Cisco MDS 9000 Family 18/4-Port Multiservicemodule and the four-to-one consolidation provides hardware savings and frees up slots in the MDS 9500series chassis.

The SSN-16 seamlessly integrates into the Cisco MDS 9500 Series Multilayer directors and the Cisco MDS9222iMultiserviceModular switch. Each of the four service engines supports four Gigabit Ethernet IP storageservices ports for a total of 16 ports of Fibre Channel over IP (FCIP) connectivity. The traffic can be switchedbetween an IP port and any Fibre Channel port on Cisco MDS 9000 Family switches.


Storage Media Encryption OverviewHardware Requirements

The SSN-16 supports the full range of services available on other CiscoMDS 9000 Family modules includingVSAN, security, and traffic management. Features such as I/O Accelerator (IOA), SME Disk and Tape, andFCIP can be configured in different octeons in a single SSN-16 module.

By running four separate, concurrent applications on one module, SSN-16 provides the following functions:

• Provides better disaster recovery and continuity solutions for mission critical applications.

• Minimizes the number of devices required, which improves the reliability.

• Consolidates the management with a single module, which provides end-to-end visibility.

• Facilitates solution-level performance optimization.

The SSN-16 module provides transparent services to any port in a fabric and does not require additional SANreconfiguration and rewiring. The module does not require the host or target to be directly attached and isavailable with multimodule clustering and balancing.

The SSN-16 module supports up to four SME interfaces per module and provides higher scalability andimproved performance of up to 20 percent on the MSM-18/4 module and 9222i switches.

Cisco MDS 9500 Series switches running Cisco NX-OS Release 4.2(1) or later support the SSN-16.Note

For additional information, refer to the Cisco MDS 9500 Series Hardware Installation Guide.

FC-Redirect-Capable Switches

In CiscoMDSNX-OSRelease 5.2(x), you cannot install a FCoEmodule in a switch that is running DMM,SME, or IOA.

Note

In Cisco MDS NX-OS Release 5.2(x), you cannot install a FCoE module in a switch that is running DMM,SME, or IOA.

SME requires that each target switch be FC-Redirect capable. FC-Redirect is not supported on the followingswitches:

• Cisco MDS 9120 switch





In CiscoMDSNX-OS Release 6.2(1), FC-Redirect is not supported on the CiscoMDS 9710 switch. FibreChannel Redirect (FCR) support is introduced on to Cisco MDS 9710 series switch running with CiscoNX-OS 6.2(3) or later.

Note


Storage Media Encryption OverviewHardware Requirements

SME does not support any FCoE connected devices including devices connected through the MDS FCoElinecard (DS-X9708-K9).

Note

Disk devices, tape devices, and tape libraries are not supported in these edge switches. Disks and tapescannot be connected to these switches.

Note

Smart Card ReadersTo employ standard and advanced security levels, SME requires the following:

• Smart Card Reader for SME (DS-SCR-K9)

• Smart Card for SME (DS-SC-K9)

The smart card reader is a USB device that is connected to a management workstation. The managementworkstation is used to configure the SME cluster. The smart card reader requires the smart card drivers thatare included on the installation CD. These must be installed on the management workstation where the readeris attached.

The smart card reader is supported on Windows-only platforms. This support includes only the Windows4 64-bit and Windows XP 32-bit platforms.For the newly installed smart card drivers to work efficientlywith the smart card readers, you must stop all Microsoft smart card services.

Note

SME PrerequisitesThis section describes the following requirements:

Java Cryptography Extension RequirementSME requires Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 5C0 (for JRE1.5). You will need to extract and copy the local_policy.jar and the US_export_policy.jar files to the <DCNMinstall path>\dcm\java\jre1.6\lib\security\. You can obtain these files from the DCNM-SAN Installation CD.

User need to manually copy these JCE Policy files every time if DCNM upgrade is performed. DCNMUpgrade donot retain these files.

Note

Zoning RequirementZoning requires internal virtual N ports that are created by SME in the default zone. The default zone mustbe set to deny and these virtual N ports must not be zoned with any other host or target.


Storage Media Encryption OverviewSME Prerequisites

For information on zoning, refer to the Fabric Configuration Guide, Cisco DCNM for SAN and the CiscoMDS 9000 Family NX-OS Fabric Configuration Guide.

FC-Redirect RequirementsFC-Redirect requirements include the following:

• The MDS switch with the MSM-18/4 module installed or the MDS 9222i switch needs to be runningCisco MDS SAN-OS Release 3.2(2c) or later, or Cisco NX-OS Release 4.x or later.

• The target must be connected to an MDS 95XX, 9216, or 9222i switch running Cisco MDS SAN-OSRelease 3.2(2c) or later, or Cisco NX-OS Release 4.x or later and should be connected to MDS 9710Series switch running with Cisco NX-OS 6.2(3) or later.

• 32 targets per MSM-18/4 module can be FC-redirected.

• Each FC-redirected target can be zoned to 16 hosts or less.

• CFS should be enabled on all required switches for FC-Redirect.

• SME servers, disk targets, and tape devices should not be part of an IVR zone set.

• Advanced zoning capabilities such as quality of service (QoS), logical unit number (LUN) zoning, andread-only LUNs must not be used for FC-Redirect hosts and targets.

SME Security OverviewSME transparently encrypts and decrypts data inside the storage environment without slowing or disruptingbusiness critical applications.

In SME Tape, SME generates a master key, tape volume keys, and tape keys. The keys are encrypted in ahierarchical order: the master key encrypts the tape volume keys and the tape keys.

In SME Disk, SME generates a master key and disk keys. The keys are encrypted in a hierarchical order: themaster key encrypts the disk keys.

The keys are also copied to the key catalog on the Cisco KMC server for backup and archival. Eventuallyinactive keys are removed from the fabric, but they are retained in the Cisco KMC catalog. The keys can beretrieved automatically from the Cisco KMC by the SME services in the fabric if needed again.

A single Cisco KMC can be used as a centralized key repository for multiple fabrics with SME services ifdesired. Key catalog import and export capabilities are also provided to accommodate moving tape media todifferent fabrics in environments with multiple Cisco KMC servers. Backup applications can be used to archivethe key catalogs for additional protection.

SME cluster can be configured either for SME Disk or for SME Tape. Both Tape and Disk configurationscannot be configured under a same cluster. A cluster can be configured only for one of them.

Note


Storage Media Encryption OverviewFC-Redirect Requirements

Additional Security CapabilitiesAdditional security capabilities offered by Cisco NX-OS complete the SME solution. For example, RADIUSand TACACS+ servers can be used to authenticate, authorize, and provide accounting (AAA) for SMEadministrators. Management of SME can be limited to authorized administrators using role-based accesscontrols (RBACs). When communication occurs from the DCNM-SAN to cluster nodes, the secure shell(SSHv2) protocol provides message integrity and privacy. PKI certificates can be configured in the CKMCand cluster nodes to enable trustpoint (SSL-protected transport).


Storage Media Encryption OverviewAdditional Security Capabilities


Storage Media Encryption OverviewAdditional Security Capabilities

storage media encryption overview - cisco€¦ · storage media encryption overview software and...

Documents